The internet of things hasn’t had the best PR when it comes to security. The IoT has connected billions of everyday objects to the internet, and while this is great news for fans of smart devices, it’s also given rise to a whole new generation of .
Encompassing everything from tumble dryers to hospital equipment, the IoT can be found in every walk of life. But this massive growth of IoT devices has come over a relatively short period, and it’s fair to say that security has struggled to keep up.
From to “zombie armies” of used in DDoS attacks, and even , there’s been no shortage of IoT horror stories in recent years. So why has IoT security been such an issue?
One major problem is the lack of a joined-up approach: the absence of industry standards and universally agreed best practices. This is no real surprise considering the diversity of the IoT, with a huge range of traditionally offline technologies suddenly thrown onto the internet.
But amid these severe teething problems, a more secure IoT is emerging. Whether in the form of government guidelines or industry innovation, IoT security is slowly but surely climbing up the priorities list.
New IoT security guidelines
The UK government recently launched a for manufacturers of internet-connected devices. Created by the Department for Digital, Culture, Media and Sport (DCMS) and GCHQ’s National Cyber Security Centre, the new guidelines are designed to protect smart devices and their users from the most common types of attack.
The code seeks to secure a broad range of IoT devices from hijacking, data breaches and other threats by implementing 13 steps. These include secure data storage, regular software updates, and clear options for the user to delete data and reset their device.
Another of the code’s key steps is mandatory strong passwords. In the wake of the Mirai botnet attack, where thousands of devices were easily hacked due to weak default passwords, it’s clear that users need active reminders to make their login details harder to crack.
The list of guidelines also covers vulnerability disclosure. The code calls for providers of internet-connected devices to implement policies to report known security vulnerabilities as soon as possible. The goal here is to quickly provide users and affected parties with all relevant information to combat security risks.
Of course, this code of practice is only voluntary, but a small number of big-name manufacturers are already signed up. Importantly, it’s local initiatives like this that lay the groundwork for comprehensive global standards – and the UK isn’t the only country taking steps towards improved IoT security.
California’s connected devices bill
In the US, California is the first state to pass an IoT security law. The “” bill comes into force from 2020, and places new legal requirements on all internet-connected devices manufactured or sold in the state.
Under the new bill, weak default passwords will be illegal; each device needs to be assigned with its own unique password at the point of manufacture.
The bill also requires every device to come equipped with “reasonable” security features. In practice this means security measures appropriate to the type of data the device deals with. In the case of sensitive personal data, for example, the device needs built-in features to prevent unauthorised access.
While the law is being welcomed as a step towards enhanced IoT security, it’s also been criticised for not going far enough. The bill does little to address the issue of out-of-date software, where devices have known security flaws that are either difficult or impossible to patch. On the plus side, this is an area where the private sector is making real progress.
IoT industry innovation
Arm and Intel are traditionally rivals, but now they’re working together to build a more secure internet of things. The chip manufacturers are collaborating on projects to increase IoT security for business users who need to protect smart devices on a large scale.
Both Arm and Intel are working on technology that embeds IoT security features on their chips. The aim is to simplify and speed-up the processes of securely provisioning and updating large numbers of connected devices.
In the past, the fragmentation of IoT technologies has often made the management of multiple devices difficult and time-consuming, with a variety of different processes required. But by collaborating this way, Arm and Intel hope to create common IoT standards, making it easier to roll out more security updates, more often, and automate processes to ensure the latest security fixes are implemented as regularly as possible.
Moves like this are essential in the IoT’s drive towards security. In the context of government guidelines and legal requirements, it’s the industry itself that will have to step up and provide technological solutions. So are we nearing the end of the security scare as the internet of things takes its first baby steps? Only time will tell.